Systems Security Certified Practitioner | (SSCP)

1.1 – Comply with codes of ethics

• ISC2 Code of Ethics
• Organizational code of ethics

1.2 – Understand security concepts

• Confidentiality
• Integrity
• Availability
• Accountability
• Privacy
• Non-repudiation
• Least privilege
• Segregation of Duties (SoD)

1.3 – Identify and implement security controls

• Technical controls (e.g., session timeout, password aging)
• Physical controls (e.g., mantraps, cameras, locks)
• Administrative controls (e.g., security policies, standards, procedures, baselines)
• Assessing compliance
• Periodic audit and review

1.4 – Document and maintain functional security controls

• Deterrent controls
• Preventative controls
• Detective controls
• Corrective controls
• Compensating controls

1.5 – Participate in asset management lifecycle (hardware, software and data)

• Process, planning, design and initiation
• Development/Acquisition
• Inventory and licensing
• Implementation/Assessment
• Operation/Maintenance
• Archiving and retention requirements
• Disposal and destruction

1.6 – Participate in change management lifecycle

• Change management (e.g., roles, responsibilities, processes)
• Security impact analysis
• Configuration management (CM)

1.7 – Participate in implementing security awareness and training (e.g., social engineering/phishing)

1.8 – Collaborate with physical security operations (e.g., data center assessment, badging)

2.1 – Implement and maintain authentication methods

• Single/Multi-Factor Authentication (MFA)
• Single Sign-On (SSO) (e.g., Active Directory Federation Services (ADFS), OpenID connect)
• Device authentication
• Federated access (e.g., Open Authorization 2 (OAuth2), Security Assertion Markup Language (SAML))

2.2 – Support internetwork trust architectures

• Trust relationships (e.g., 1-way, 2-way, transitive, zero)
• Internet, intranet and extranet
• Third-party connections

2.3 – Participate in the identity management lifecycle

• Authorization
• Proofing
• Provisioning/De-provisioning
• Maintenance
• Entitlement
• Identity and Access Management (IAM) systems

2.4 – Understand and apply access controls

• Mandatory
• Discretionary
• Role-based (e.g., attribute-, subject-, object-based)
• Rule-based

3.1 – Understand the risk management process

• Risk visibility and reporting (e.g., risk register, Common Vulnerability Scoring (CVSS), sharing threat intelligence/Indicators of Compromise (IOC))
• Risk management concepts (e.g., threat modeling, impact assessments)
• Risk management frameworks
• Risk tolerance (e.g., appetite)
• Risk treatment (e.g., acceptance, transference, mitigation, or avoidance)

3.2 – Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)

3.3 – Participate in security assessment and vulnerability management activities

• Security testing
• Risk review (e.g., internal, supplier, architecture)
• Vulnerability management lifecycle

3.4 – Operate and monitor security platforms (e.g., continuous monitoring)

• Source systems (e.g., applications, security appliances, network devices, and hosts)
• Events of interest (e.g., anomalies, intrusions, unauthorized changes, compliance monitoring)
• Log management
• Event aggregation and correlation

3.5 – Analyze monitoring results

• Security baselines and anomalies
• Visualizations, metrics, and trends (e.g., notifications, dashboards, timelines)
• Event data analysis
• Document and communicate findings (e.g., escalation)

4.1 – Support incident lifecycle, e.g., National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO)

• Preparation
• Detection, analysis and escalation
• Containment
• Eradication
• Recovery
• Lessons learned/implementation of new countermeasure

4.2 – Understand and support forensic investigations

• Legal (e.g., civil, criminal, administrative) and ethical principles
• Evidence handling (e.g., first responder, triage, chain of custody, preservation of scene)
• Reporting of analysis

4.3 – Understand and support Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)

• Emergency response plans and procedures (e.g., pandemic, natural disaster, information system contingency, crisis management)
• Interim or alternate processing strategies
• Restoration planning
• Backup and redundancy implementation
• Testing and drills

5.1 – Understand cryptography

• Confidentiality
• Integrity and authenticity
• Data sensitivity (e.g., Personally Identifiable Information (PII), Intellectual Property (IP), Protected Health Information (PHI))
• Regulatory and industry best practices (e.g., International Organization for Standardization (ISO), Payment Card Industry Data Security Standards (PCI-DSS))

5.2 – Apply cryptography concepts

• Hashing
• Salting
• Symmetric/Asymmetric encryption/Elliptic Curve Cryptography (ECC)
• Non-repudiation (e.g., digital signatures/certificates, Hash-based Message Authentication Code (HMAC), audit trails)
• Strength of encryption algorithms and keys (e.g., Advanced Encryption Standards (AES), Rivest-Shamir-Adleman (RSA), 256-, 512-, 1024-, 2048-bit keys)
• Cryptographic attacks, cryptanalysis, and countermeasures (e.g., quantum computing)

5.3 – Understand and implement secure protocols

• Services and protocols
• Common use cases
• Limitations and vulnerabilities

5.4 – Understand Public Key Infrastructure (PKI)

• Fundamental key management concepts (e.g., storage, rotation, composition, generation, destruction, exchange, revocation, escrow)
• Web of Trust (WOT)

6.1 – Understand and apply fundamental concepts of networking

• Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models
• Network topologies
• Network relationships (e.g., Peer-to-Peer (P2P), client server)
• Transmission media types (e.g., wired, wireless)
• Software-Defined Networking (SDN) (e.g., Software-Defined Wide Area Network (SD-WAN), network virtualization, automation)
• Commonly used ports and protocols

6.2 – Understand network attacks

• Distributed Denial of Service (DDoS)
• Man-in-the-Middle (MITM)
• Domain Name System (DNS) poisoning
• Countermeasures (e.g., Content Delivery Networks (CDN)

6.3 – Manage network access controls

• Network access controls, standards and protocols (e.g.,  Remote Authentication Dial-In User Service (RADIUS), Institute of Electrical and Electronics Engineers (IEEE) 802.1X, Terminal Access Controller Access-Control System Plus (TACACS+))
• Remote access operation and configuration (e.g., thin client, Virtual Private Network (VPN))

6.4 – Manage network security

• Logical and physical network devices placement of (e.g., passive, inline, virtual)
• Segmentation (e.g., data/control plane, physical/logical, Virtual Local Area Network (VLAN), Access Control List (ACL), firewall zones, micro-segmentation)
• Secure device management

6.5 – Operate and configure network-based security devices

• Firewalls and proxies (e.g., filtering methods, Web Application Firewalls (WAF))
• Network intrusion detection/prevention systems
• Routers and switches
• Traffic-shaping devices (e.g., Wide Area Network (WAN) optimization, load balancing)

6.6 – Secure wireless communications

• Technologies (e.g., cellular network, Wi-Fi, Bluetooth, Near-Field Communication (NFC))
• Authentication and encryption protocols (e.g., Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), Extensible Authentication Protocol (EAP))
• Internet of Things (IoT)

7.1 – Identify and analyze malicious code and activity

• Malware (e.g., spyware, scareware, ransomware, trojans, viruses, worms, rootkits, trapdoors, backdoors, fileless)
• Malware countermeasures (e.g., scanners, anti-malware, code signing)
• Malicious activity (e.g., data theft, Distributed Denial of Service (DDoS), insider threat, botnet, zero-day exploits, web-based attacks, Advanced Persistent Threat (APT))
• Malicious activity countermeasures (e.g., user awareness, patching, sandboxing, system hardening, isolation, Data Loss Prevention (DLP))

7.2 – Implement and operate endpoint device security

• Host-based firewalls
• Application whitelisting
• Host-based Intrusion Prevention System (HIPS)
• Endpoint encryption (e.g., whole disk encryption)
• Trusted Platform Module (TPM)
• Secure browsing
• Endpoint Detection and Response (EDR)

7.3 – Administer Mobile Device Management (MDM)

• Provisioning techniques (e.g., Corporate-Owned Personally Enabled (COPE), Bring Your Own Device (BYOD))
• Containerization
• Encryption
• Mobile application management (MAM)

7.4 – Understand and configure cloud security

• Deployment models (e.g., private, public, hybrid, community)
• Service models (e.g., Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and Software as a Service (SaaS))
• Virtualization
• Legal and regulatory concerns (e.g., privacy, jurisdiction, surveillance, data ownership, eDiscovery)
• Data storage, processing, and transmission (e.g., recovery, resilience, archiving)
• Third-party/outsourcing requirements (e.g., data portability, Service-Level Agreement (SLA), data destruction, auditing)
• Shared responsibility model

7.5 – Operate and maintain secure virtual environments

• Containers
• Hypervisor
• Virtual appliances
• Continuity and resilience
• Attacks and countermeasures
• Shared storage